blobs: attempt to verify on decode when possible
regular chunks are only decoded when their contents are accessed, in which case we need to have the key anyway and want to verify the digest. for blobs we need to verify beforehand, since their checksums are always calculated based on their raw content, and stored in the manifest. manifests are also stored as blobs, but don't have a digest in the traditional sense (they might have a signature covering parts of their contents, but that is verified already when loading the manifest). this commit does not cover pull/sync code which copies blobs and chunks as-is without decoding them. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
committed by
Dietmar Maurer
Dietmar Maurer
parent
0f9218079a
commit
8819d1f2f5
@ -21,9 +21,13 @@ lazy_static! {
|
||||
let key = [1u8; 32];
|
||||
Arc::new(CryptConfig::new(key).unwrap())
|
||||
};
|
||||
|
||||
static ref TEST_DIGEST_PLAIN: [u8; 32] = [83, 154, 96, 195, 167, 204, 38, 142, 204, 224, 130, 201, 24, 71, 2, 188, 130, 155, 177, 6, 162, 100, 61, 238, 38, 219, 63, 240, 191, 132, 87, 238];
|
||||
|
||||
static ref TEST_DIGEST_ENC: [u8; 32] = [50, 162, 191, 93, 255, 132, 9, 14, 127, 23, 92, 39, 246, 102, 245, 204, 130, 104, 4, 106, 182, 239, 218, 14, 80, 17, 150, 188, 239, 253, 198, 117];
|
||||
}
|
||||
|
||||
fn verify_test_blob(mut cursor: Cursor<Vec<u8>>) -> Result<(), Error> {
|
||||
fn verify_test_blob(mut cursor: Cursor<Vec<u8>>, digest: &[u8; 32]) -> Result<(), Error> {
|
||||
|
||||
// run read tests with different buffer sizes
|
||||
for size in [1, 3, 64*1024].iter() {
|
||||
@ -52,7 +56,7 @@ fn verify_test_blob(mut cursor: Cursor<Vec<u8>>) -> Result<(), Error> {
|
||||
|
||||
let blob = DataBlob::load_from_reader(&mut &raw_data[..])?;
|
||||
|
||||
let data = blob.decode(Some(&CRYPT_CONFIG))?;
|
||||
let data = blob.decode(Some(&CRYPT_CONFIG), Some(digest))?;
|
||||
if data != *TEST_DATA {
|
||||
bail!("blob data is wrong (decode)");
|
||||
}
|
||||
@ -65,7 +69,7 @@ fn test_uncompressed_blob_writer() -> Result<(), Error> {
|
||||
let mut blob_writer = DataBlobWriter::new_uncompressed(tmp)?;
|
||||
blob_writer.write_all(&TEST_DATA)?;
|
||||
|
||||
verify_test_blob(blob_writer.finish()?)
|
||||
verify_test_blob(blob_writer.finish()?, &*TEST_DIGEST_PLAIN)
|
||||
}
|
||||
|
||||
#[test]
|
||||
@ -74,7 +78,7 @@ fn test_compressed_blob_writer() -> Result<(), Error> {
|
||||
let mut blob_writer = DataBlobWriter::new_compressed(tmp)?;
|
||||
blob_writer.write_all(&TEST_DATA)?;
|
||||
|
||||
verify_test_blob(blob_writer.finish()?)
|
||||
verify_test_blob(blob_writer.finish()?, &*TEST_DIGEST_PLAIN)
|
||||
}
|
||||
|
||||
#[test]
|
||||
@ -83,7 +87,7 @@ fn test_encrypted_blob_writer() -> Result<(), Error> {
|
||||
let mut blob_writer = DataBlobWriter::new_encrypted(tmp, CRYPT_CONFIG.clone())?;
|
||||
blob_writer.write_all(&TEST_DATA)?;
|
||||
|
||||
verify_test_blob(blob_writer.finish()?)
|
||||
verify_test_blob(blob_writer.finish()?, &*TEST_DIGEST_ENC)
|
||||
}
|
||||
|
||||
#[test]
|
||||
@ -92,5 +96,5 @@ fn test_encrypted_compressed_blob_writer() -> Result<(), Error> {
|
||||
let mut blob_writer = DataBlobWriter::new_encrypted_compressed(tmp, CRYPT_CONFIG.clone())?;
|
||||
blob_writer.write_all(&TEST_DATA)?;
|
||||
|
||||
verify_test_blob(blob_writer.finish()?)
|
||||
verify_test_blob(blob_writer.finish()?, &*TEST_DIGEST_ENC)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user